\select@language {dutch}
\contentsline {chapter}{Voorwoord}{i}
\contentsline {chapter}{\numberline {1}Inleiding}{1}
\contentsline {section}{\numberline {1.1}Achtergrond}{1}
\contentsline {subsection}{\numberline {1.1.1}Dynamische Websites}{1}
\contentsline {subsection}{\numberline {1.1.2}Web Mashups}{1}
\contentsline {subsection}{\numberline {1.1.3}JavaScript}{2}
\contentsline {section}{\numberline {1.2}Security Requirements}{2}
\contentsline {section}{\numberline {1.3}Current state of practice}{3}
\contentsline {subsection}{\numberline {1.3.1}Script inclusion}{4}
\contentsline {subsection}{\numberline {1.3.2}IFrame integration}{4}
\contentsline {section}{\numberline {1.4}Current state of the art}{4}
\contentsline {subsection}{\numberline {1.4.1}CaJa, AdSafe}{4}
\contentsline {subsection}{\numberline {1.4.2}WebJail, Conscript}{5}
\contentsline {section}{\numberline {1.5}Doelstellingen}{5}
\contentsline {chapter}{\numberline {2}Narcissus}{6}
\contentsline {section}{\numberline {2.1}Werking}{7}
\contentsline {subsection}{\numberline {2.1.1}Narcissus context}{8}
\contentsline {subsection}{\numberline {2.1.2}Code uitvoering in Narcissus}{8}
\contentsline {section}{\numberline {2.2}Testprocess}{9}
\contentsline {subsection}{\numberline {2.2.1}De Testsuite}{9}
\contentsline {subsubsection}{Aanpassingen aan de Testsuite}{10}
\contentsline {subsection}{\numberline {2.2.2}Tests}{11}
\contentsline {subsection}{\numberline {2.2.3}Patches}{12}
\contentsline {subsubsection}{Patch 1: Undefined variables}{12}
\contentsline {subsubsection}{Patch 2: intanceof}{13}
\contentsline {subsubsection}{Patch 3: XMLHttpRequest}{13}
\contentsline {subsubsection}{Kleinere patches}{14}
\contentsline {subsection}{\numberline {2.2.4}Resultaten}{14}
\contentsline {subsection}{\numberline {2.2.5}Conclusie}{17}
\contentsline {chapter}{\numberline {3}Implementatie}{18}
\contentsline {section}{\numberline {3.1}Policies}{18}
\contentsline {subsubsection}{Policies toepassen}{19}
\contentsline {section}{\numberline {3.2}Aanpassingen aan Narcissus}{20}
\contentsline {subsection}{\numberline {3.2.1}Narcissus.interpreter.evaluate()}{20}
\contentsline {subsection}{\numberline {3.2.2}Narcissus.interpreter.parsePolicy()}{21}
\contentsline {subsection}{\numberline {3.2.3}Narcissus.interpreter.getValue()}{23}
\contentsline {subsection}{\numberline {3.2.4}Narcissus.interpreter.putValue()}{25}
\contentsline {chapter}{\numberline {4}Beveiliging}{26}
\contentsline {section}{\numberline {4.1}Aanpassen van policies}{26}
\contentsline {section}{\numberline {4.2}Code uitvoeren in Spidermonkey context}{27}
\contentsline {subsection}{\numberline {4.2.1}setTimeout / setInterval}{27}
\contentsline {subsection}{\numberline {4.2.2}Aanmaken van script element}{28}
\contentsline {subsection}{\numberline {4.2.3}HTML injectie}{29}
\contentsline {subsubsection}{innerHTML}{30}
\contentsline {subsubsection}{Events}{32}
\contentsline {subsubsection}{XSS aanvallen}{33}
\contentsline {chapter}{\numberline {5}Besluit}{35}
\contentsline {section}{\numberline {5.1}Verwezelijkingen}{36}
\contentsline {section}{\numberline {5.2}Beperkingen}{37}
\contentsline {subsubsection}{Narcissus.interpreter.evaluateUrl()}{37}
\contentsline {subsubsection}{IFrame}{37}
\contentsline {subsubsection}{document.write()}{38}
\contentsline {subsubsection}{Flash}{38}
\contentsline {subsubsection}{Reguliere Expresies}{39}
\contentsline {subsubsection}{Veiligheid}{39}
\contentsline {section}{\numberline {5.3}Conclusie}{40}
\contentsline {chapter}{\numberline {A}Wegwijs in de code}{42}
\contentsline {section}{\numberline {A.1}API}{42}
\contentsline {subsubsection}{Narcissus.interpreter.evaluate(string code, [JSON policy])}{42}
\contentsline {subsubsection}{Narcissus.interpreter.evaluateUrl(string url, [JSON policy])}{43}
\contentsline {subsubsection}{Narcissus.interpreter.evaluateHTML(string HTML, [Node appendTo])}{43}
\contentsline {section}{\numberline {A.2}Testsuite}{44}
\contentsline {subsection}{\numberline {A.2.1}Overzicht}{44}
\contentsline {subsection}{\numberline {A.2.2}Zelf testen}{44}
